Big data distributed processing and secure data transferring with hyper fencing

ABSTRACT

Aspects of the disclosure relate to resource allocation and rebating during in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. Secure connection(s) to the data store can be established. The big data dataset can be uncompressed based on a codec and uncompressed data blocks can be distributed for processing. Sensitive information can be redacted into a sanitized dataset based on one or more data obfuscation types. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

TECHNICAL FIELD OF DISCLOSURE

Aspects of the disclosure relate to processes and machines forelectrical computers and digital processing systems with respect todistributed processing and secure multiple computer data transferring.

BACKGROUND

Prior art attempts to handle big data traditionally relate to Hadoop,which is a set of open source programs and procedures. Hadoop isessentially made up of four modules, each of which carries out aparticular task essential for a computer system designed for big dataanalytics.

The most important modules are the Distributed File System, which allowsdata to be stored in an easily accessible format, across a large numberof linked storage devices, and the MapReduce—which provides the basictools for poking around in the data. A “file system” is the method usedby a computer to store data, so it can be found and used. Normally thisis determined by the computer's operating system, however a Hadoopsystem uses its own file system which sits “above” the file system ofthe host computer—meaning it can be accessed using any computer runningany supported OS. MapReduce is named after the two basic operations thismodule carries out—reading data from the database, putting it into aformat suitable for analysis (map), and performing mathematicaloperations such as, for example, counting the number of people aged 30+in a customer database (reduce). The third module is Hadoop Common,which provides the tools (in Java) needed for the user's computersystems (Windows, Unix or other) to read data stored under the Hadoopfile system. The final module is YARN (yet another resource negotiator),which manages resources of the systems storing the data and running theanalysis. Various other procedures, libraries or features have come tobe considered part of the Hadoop “framework” over recent years, butHadoop Distributed File System, Hadoop MapReduce, Hadoop Common andHadoop YARN are the principle four.

However, such prior art attempts at handling extremely large datasetswith Hadoop are insufficient. For example, distributed processingrequires configurable memory management. This is because the consumptionof any particular dataset will be required to create distributeddatasets. Although distributed datasets may fit in memory, many timesproblems such as OutOfMemoryError, high task launching costs, overburden and utilization in any of the orchestration services (a/k/aapplication managers) may be encountered with extremely large datasets.Keeping data in memory to ensure cost-efficient processing of big datameans that resource consumption is often very high and can result instarvation.

Another issue is security with respect to data flowing from disparatesources and for distributed processing. Such data flow must be properlysecured from potential insider and external threats.

Further, in any big data platform, data sanitization becomes a majorrisk to the information in external entities (and organized syndicates)out to break into any firewall protection by malicious insiders who havebeen granted access to the data. Every new data stream withoutobfuscation/masking of non-public personal information data (NPI)constitutes a new potential attack vector, which makes classic perimeterdefenses obsolete and vulnerable. There is currently a lack of aproduction grade product/framework that provides data obfuscation in aplatform independent manner. Deep insight is required since there may belittle or no control over NPI data, which resides in productionplatforms and is incredibly sensitive.

Yet another problem in attempting to handle big data and distributedprocessing arises when tasks that are actively running on a node fail tocomplete or cached distributed datasets on a node are lost. This impactsperformance drastically. Data flowing from disparate sources frominterconnected systems might cause all relevant jobs to get stuck tryingto recover and re-compute lost tasks and data, in some cases eventuallycrashing the entire job.

This disclosure addresses one or more of the shortcomings in theindustry and provides improved performance and security when handlingbig data. This disclosure it not limited to Hadoop and, instead,pertains more broadly to distributed processing and secure multiplecomputer transferring of big data by “computer machines” andcomputer-executable “software and data” across “network(s)” as thoseterms are defined and used herein.

SUMMARY

Aspects of the disclosure provide effective, efficient, scalable, andconvenient technical solutions that address and overcome the technicalproblems associated with handling big data such as, for example, byefficiently allocating and rebating resources such as RAM; obfuscatingNPI data when transferring data and tasks from upper lanes (e.g.,production platforms) and lower lanes (e.g., development platforms);isolating computers, clusters, nodes, cores, and/or executors that fail;efficiently transferring state information and tasks from failedcomputers, clusters, nodes and/or executors to others; providingfallback controller processes for detected faults; hyper fencing fileson a network and uncompres sing them before distributing or assigning toone or more cores; and providing a variety of post process reports suchas obfuscation summary reports, data processing summary reports, dataforensics reports, and resource leakage reports.

In accordance with one or more embodiments, in-flight data masking andon-demand encryption of big data on a network can be performed. Acomputer machine, coupled to the network and containingcomputer-readable memory, can authenticate a request for a big datadataset based on credentials received from a source. The request can bestored in a sector of the computer-readable memory. The big data datasetcan be stored in a data store coupled to the network. The big datadataset includes sensitive information and non-sensitive information. Aprofile can be auto provisioned corresponding to the request and storedin a sector of the computer-readable memory. Access rights for therequest can be assigned based on the profile and stored in a sector ofthe computer-readable memory. Server configuration and data connectionproperties for the data store containing the big data dataset can bedefined and stored in a sector of computer-readable memory. A secureconnection from the computer machine to the data store can beestablished based on the server connection and the data connectionproperties. At least one multiple data obfuscation type stored in asector of computer-readable memory can be registered. The big datadataset can be loaded from the data store on the network and stored in asector of computer-readable memory. The big data dataset can be searchedby the obfuscation computer machine, for the sensitive information to beredacted. The sensitive information in the big data dataset can beredacted into a sanitized dataset based on at least one multiple dataobfuscation type and the non-sensitive information and the sanitizeddataset can be stored in a sector of computer-readable memory. Redactionof the sensitive information in the big data dataset could be based onusing a pre-defined mask, using random generation, and/or using regularexpression obfuscation. If desired, regular expression obfuscation canbe used to capture pattern values and replace the pattern values with areplacing value format. The sanitized dataset can be encrypted intoencrypted data and stored in a sector of computer-readable memory. DataLake encryption, a Base64 algorithm, a text-to-binary scheme, and/or anyother form of desired encryption can be utilized. The encrypted data canbe transmitted, in response to the request, to a source, a target,and/or another computer machine and can be decrypted back into thesanitized dataset.

In other embodiments, one or more non-transitory computer-readable mediawith computer-executable instructions stored thereon executed by one ormore processors on a computer machine, communicatively coupled to anetwork, can be used to perform in-flight data masking and on-demandencryption of a big data dataset stored in a data store on the network.The big data dataset includes sensitive information and non-sensitiveinformation. The computer-readable instructions can include:authentication instructions to authenticate a request for the big datadataset based on credentials received from a source; auto provisioninstructions to identify a profile corresponding to the request, theprofile stored in a sector of the computer-readable medium; accessinstructions to assign access rights for the request based on theprofile, the access rights stored in a sector of the computer-readablemedium; server configuration and data connection instructions to defineconnection properties for the data store containing the big datadataset, the server configuration and data connection properties storedin a sector of the computer-readable medium; secure connectioninstructions to establish a secure connection from the obfuscationcomputer machine to the data store based on the server connection andthe data connection properties; registration instructions to register atleast one multiple data obfuscation type stored in a sector of thecomputer-readable medium; load instructions to load the big data datasetfrom the data store on the network into a sector of thecomputer-readable medium; search instructions to search the big datadataset for the sensitive information to be redacted; redactioninstructions to redact into a sanitized dataset the sensitiveinformation in the big data dataset based on the at least one multipledata obfuscation type and the non-sensitive information; storageinstructions to store the sanitized dataset into a sector of thecomputer-readable medium; encryption instructions to encrypt thesanitized dataset into encrypted data, the encrypted data stored in asector of the computer-readable medium; transmission instructions totransmit the encrypted data, in response to the request, to a source, atarget, and/or another computer machine and can be decrypted back intothe sanitized dataset.

In further embodiments, a multilevel computing platform for performingin-flight data masking and on-demand encryption of big data on a networkcan be utilized. A data store is coupled to the network and contains abig data dataset including sensitive information and non-sensitiveinformation. Upper lane and lower lane platforms each respectively have:at least one processor, at least one communication interfacecommunicatively coupled to the at least one processor and the network,and one or more computer-readable memories communicatively coupled tothe communication interfaces, the computer-readable media storingcomputer-executable instructions that, when executed by the processors,cause platforms to perform various actions. For example, the upper laneplatform can have and execute instructions to: authenticate a requestfor the big data dataset received via the upper communication interfacefrom a lower lane platform; auto provision a profile corresponding tothe request; assign access rights for the request based on the profile;define server configuration and data connection instructions for thedata store containing the big data dataset; securely connect the upperplatform to the data store via the upper communication interface basedon the server configuration and the data connection instructions;register at least one multiple data obfuscation type; load the big datadataset from the data store into a sector in the computer-readablememory via the upper communication interface; search the big datadataset for the sensitive information to be redacted; redact into asanitized dataset the sensitive information in the big data datasetbased on said at least one multiple data obfuscation type and thenon-sensitive information; store the sanitized dataset in a sector ofthe computer-readable memory; encrypt the sanitized dataset intoencrypted data in a sector of the upper computer-readable memory; andtransmit the encrypted data to the lower lane platform via the uppercommunication interface. Further, the lower lane platform can have andexecute instructions to: transmit the request for the big data datasetvia the lower communication interface to the upper platform; receive theencrypted data via the lower communication interface from the upperplatform; store the encrypted data in a sector of the computer-readablememory; decrypt the encrypted data into the sanitized dataset; and storethe sanitized dataset in a sector of its computer-readable medium.

In accordance with one or more embodiments, resource allocation andrebating during in-flight data masking and on-demand encryption of bigdata on a network can be implemented. A computer machine, coupled to thenetwork and containing computer-readable memory, can authenticate arequest for a big data dataset based on credentials received from asource. The request can be stored in a sector of the computer-readablememory. The big data dataset can be stored in a data store coupled tothe network. The big data dataset includes sensitive information andnon-sensitive information. A profile can be auto provisionedcorresponding to the request and stored in a sector of thecomputer-readable memory. Access rights for the request can be assignedbased on the profile and stored in a sector of the computer-readablememory. Server configuration and data connection properties for the datastore containing the big data dataset can be defined and stored in asector of computer-readable memory. A secure connection from thecomputer machine to the data store can be established based on theserver connection and the data connection properties. At least onemultiple data obfuscation type stored in a sector of computer-readablememory can be registered. The big data dataset can be loaded from thedata store on the network and stored in a sector of computer-readablememory. The big data dataset can be searched by the computer machine,for the sensitive information to be redacted. The sensitive informationin the big data dataset can be redacted into a sanitized dataset basedon at least one multiple data obfuscation type and the non-sensitiveinformation and the sanitized dataset can be stored in a sector ofcomputer-readable memory. Redaction of the sensitive information in thebig data dataset could be based on using a pre-defined mask, usingrandom generation, and/or using regular expression obfuscation. Ifdesired, regular expression obfuscation can be used to capture patternvalues and replace the pattern values with a replacing value format. Thecomputer machine's RAM requirements and current RAM allocation can bediagnosed. A portion of the current RAM allocation exceeding the RAMrequirements can be rebated. The sanitized dataset can be encrypted intoencrypted data and stored in a sector of computer-readable memory. DataLake encryption, a Base64 algorithm, a text-to-binary scheme, and/or anyother form of desired encryption can be utilized. The encrypted data canbe transmitted, in response to the request, to a source, a target,and/or another computer machine and can be decrypted back into thesanitized dataset.

In some embodiments, available nodes, available cores, and available RAMin a cluster can be determined along with required nodes, requiredcores, and required RAM in the cluster. The required cores can becalculated to be a number of current tasks assigned per executor. Anumber of required executors can be calculated as the required cores pernode divided by the required cores per executor, minus 1, multiplied bythe available nodes.

In some embodiments, RAM overhead can be calculated as a percentage ofmaximum RAM multiplied by executor memory. RAM per executor can becalculated as the maximum RAM divided by the number of executors pernode, minus the RAM overhead. A required memory per job and/or task(s)can be calculated.

In some embodiments, a namenode having a namenode memory can be read todetermine a total namenode memory and an allocated namenode memory.Namenode heap memory and YARN memory can be determined.

In some embodiments, benchmark audit log(s) can be analyzed to determinestorage memory and shuffle write per job modeling through a smart assistregression algorithm. The smart assist regression algorithm can amachine learning model used to predict an optimal RAM allocation and canbe trained based on historical records.

In some embodiments, the optimal RAM allocation can be equal to the sumof a data size, a disk I/O, a storage, a cache memory, and a Javavirtual machine memory.

In some embodiments, supplemental diagnosing and rebating for anyincremental load of the big data dataset can be performed.

In other embodiments, one or more non-transitory computer-readable mediawith computer-executable instructions stored thereon executed by one ormore processors on a computer machine, communicatively coupled to anetwork, can be used to perform resource allocation and rebating duringin-flight data masking and on-demand encryption of a big data datasetstored in a data store on the network. The big data dataset includessensitive information and non-sensitive information.

The computer-readable instructions can include: authenticationinstructions to authenticate a request for the big data dataset based oncredentials received from a source, auto provision instructions toidentify a profile corresponding to the request, the profile stored in asector of the computer-readable medium; access instructions to assignaccess rights for the request based on the profile, the access rightsstored in a sector of the computer-readable medium; server configurationand data connection instructions to define connection properties for thedata store containing the big data dataset, the server configuration anddata connection properties stored in a sector of the computer-readablemedium, secure connection instructions to establish a secure connectionfrom the obfuscation computer machine to the data store based on theserver connection and the data connection properties; registrationinstructions to register at least one multiple data obfuscation typestored in a sector of the computer-readable medium; load instructions toload the big data dataset from the data store on the network into asector of the computer-readable medium; search instructions to searchthe big data dataset for the sensitive information to be redacted;redaction instructions to redact into a sanitized dataset the sensitiveinformation in the big data dataset based on said at least one multipledata obfuscation type and the non-sensitive information; diagnosinginstructions to identify RAM requirements and a current RAM allocation;rebate instructions to rebate a portion of the current RAM allocationthat exceeds the RAM requirements; storage instructions to store thesanitized dataset into a sector of the computer-readable medium;encryption instructions to encrypt the sanitized dataset into encrypteddata, the encrypted data stored in a sector of the computer-readablemedium; and transmission instructions to transmit the encrypted data, inresponse to the request, to a source, a target, and/or another computermachine and can be decrypted back into the sanitized dataset.

In further embodiments, a computing platform for performing resourceallocation and rebating during in-flight data masking and on-demandencryption of big data on a network can be used. A data store can becoupled to the network and can contain a big data dataset includingsensitive information and non-sensitive information. Computer machine(s)having at least one processor, at least one communication interfacecommunicatively coupled to the at least one processor and the network,and one or more computer-readable media communicatively coupled to theat least one communication interface can be used. The computer-readablemedium can store computer-executable instructions that, when executed bythe processor(s), cause the computer machine(s) to: authenticate arequest for the big data dataset based on credentials received from asource, auto provision a profile corresponding to the request, theprofile stored in a sector of the computer-readable medium; assignaccess rights for the request based on the profile, the access rightsstored in a sector of the computer-readable medium; define connectionproperties for the data store containing the big data dataset, theserver configuration and data connection properties stored in a sectorof the computer-readable medium; establish a secure connection from thecomputer machine to the data store based on the server connection andthe data connection properties; register at least one multiple dataobfuscation type stored in a sector of the computer-readable medium;load the big data dataset from the data store on the network into asector of the computer-readable medium; search the big data dataset forthe sensitive information to be redacted; redact into a sanitizeddataset the sensitive information in the big data dataset based on theat least one multiple data obfuscation type and the non-sensitiveinformation; identify RAM requirements and a current RAM allocation;rebate a portion of the current RAM allocation that exceeds the RAMrequirements; store the sanitized dataset into a sector of thecomputer-readable medium; encrypt the sanitized dataset into encrypteddata, the encrypted data stored in a sector of the computer-readablemedium; and transmit the encrypted data, in response to the request, toa source, a target, and/or another computer machine and can be decryptedback into the sanitized dataset.

In accordance with one or more embodiments, a computing platform forhandling faults during in-flight data masking and on-demand encryptionof big data on a network can be used. A data store can be coupled to thenetwork and can contain a big data dataset including sensitiveinformation and non-sensitive information. One or more computer nodesand/or cluster manager(s) can have: processor(s) running set(s) ofexecutors; communication interface(s) communicatively coupled to theprocessor(s) and the network, and one or more computer-readable mediacommunicatively coupled to the communication interface(s), thecomputer-readable media storing computer-executable instructions that,when executed by the processor(s), cause one or more computer nodes toexecute tasks in the set(s) of executors related to a request from asource for the big data dataset.

The cluster manager(s) can execute instructions to: store a broad listof available executors that include the set(s) of executors in the oneor more computer node(s); manage the set(s) of executors in the computernode(s); receive the request for the big data dataset; assign one ormore of the executors in the node(s) various task(s) relating to therequest for the big data dataset; instruct that the sensitiveinformation in the big data dataset be redacted to create a sanitizeddataset that includes the redacted sensitive information and thenon-sensitive information; detect crashed executor(s) and remove themfrom the broad list of available executors to create a reduced list ofavailable executors such that the crashed executor is no longer used;determine any incomplete tasks assigned to the crashed executor;transfer the incomplete tasks to one or more of the executors in thereduced list of available executors; encrypt the sanitized dataset intoencrypted data once all of said sensitive information has been redacted;and transmit the encrypted data to the source in response to therequest, wherein the encrypted data can be transmitted, in response tothe request, to a source, a target, and/or another computer machine andcan be decrypted back into the sanitized dataset.

In some embodiments, the computer-readable media for the clustermanager(s) may also include instructions to: authenticate the requestfrom the source for the big data dataset; auto provision a profilecorresponding to the request; assign access rights for the request basedon the profile; define server configuration and data connectioninstructions for the data store containing the big data dataset;securely connect the cluster computer machine to the data store via thecluster communication interface based on the server configuration andthe data connection instructions; register at least one multiple dataobfuscation type; load the big data dataset from the data store into thecluster computer-readable memory via the cluster communicationinterface; and distribute the big data dataset to one or more computernode(s).

In other embodiments, handling faults during in-flight data masking andon-demand encryption of big data on a network can be performed with acomputer machine, coupled to the network and containingcomputer-readable memory, which can authenticate a request for a bigdata dataset based on credentials received from a source. The requestcan be stored in a sector of the computer-readable memory. The big datadataset can be stored in a data store coupled to the network. The bigdata dataset includes sensitive information and non-sensitiveinformation. A profile can be auto provisioned corresponding to therequest and stored in a sector of the computer-readable memory. Accessrights for the request can be assigned based on the profile and storedin a sector of the computer-readable memory. Server configuration anddata connection properties for the data store containing the big datadataset can be defined and stored in a sector of computer-readablememory. A secure connection from the computer machine to the data storecan be established based on the server connection and the dataconnection properties. At least one multiple data obfuscation typestored in a sector of computer-readable memory can be registered. Thebig data dataset can be loaded from the data store on the network andstored in a sector of computer-readable memory. The big data dataset canbe searched by the obfuscation computer machine, for the sensitiveinformation to be redacted. The sensitive information in the big datadataset can be redacted into a sanitized dataset based on at least onemultiple data obfuscation type and the non-sensitive information and thesanitized dataset can be stored in a sector of computer-readable memory.Redaction of the sensitive information in the big data dataset could bebased on using a pre-defined mask, using random generation, and/or usingregular expression obfuscation. If desired, regular expressionobfuscation can be used to capture pattern values and replace thepattern values with a replacing value format. Crashed executor(s) thecrashed during any processing of the big data dataset can be detected.The crashed executor(s) can be removed from the list of availableexecutors to create a list of non-crashed executors, which can be storedin a sector of computer-readable memory. Any uncompleted task(s)assigned to the crashed executor(s) can be resubmitted to one or more ofthe other non-crashed executors either on the same node or another node.The sanitized dataset can be encrypted into encrypted data and stored ina sector of computer-readable memory. Data Lake encryption, a Base64algorithm, a text-to-binary scheme, and/or any other form of desiredencryption can be utilized. The encrypted data can be transmitted, inresponse to the request, to a source, a target, and/or another computermachine and can be decrypted back into the sanitized dataset.

In further embodiments, one or more non-transitory computer-readablemedium or media with computer-executable instructions stored thereonexecuted by one or more processors on computer machine(s) for faulthandling during in-flight data masking and on-demand encryption of a bigdata dataset stored in a data store on a network can be used. The bigdata dataset can include sensitive information and non-sensitiveinformation. The computer machine(s) can be communicatively coupled tothe network. Instructions on the one or more computer-readable media caninclude: authentication instructions to authenticate a request for thebig data dataset based on credentials received from a source; autoprovision instructions to identify a profile corresponding to therequest, the profile stored in a sector of the computer-readable medium;access instructions to assign access rights for the request based on theprofile, the access rights stored in a sector of the computer-readablemedium; server configuration and data connection instructions to defineconnection properties for the data store containing the big datadataset, the server configuration and data connection properties storedin a sector of the computer-readable medium; secure connectioninstructions to establish a secure connection from the computermachine(s) to the data store based on the server connection and the dataconnection properties; registration instructions to register at leastone multiple data obfuscation type stored in a sector of thecomputer-readable medium; load instructions to load the big data datasetfrom the data store on the network into a sector of thecomputer-readable medium; search instructions to search the big datadataset for the sensitive information to be redacted; redactioninstructions to redact into a sanitized dataset the sensitiveinformation in the big data dataset based on said at least one multipledata obfuscation type and the non-sensitive information; diagnosinginstructions to identify RAM requirements and a current RAM allocation;rebate instructions to rebate a portion of the current RAM allocationthat exceeds the RAM requirements; detection instructions to detect acrashed executor; remove instructions to remove the crashed executorfrom a broad list of available executors to create a reduced list ofavailable executors such that the crashed executor is no longer used;identification instructions to identify any incomplete tasks assigned tothe crashed executor; transfer instructions to transfer said incompletetasks to an available executor in the reduced list of availableexecutors; storage instructions to store the sanitized dataset into asector of the computer-readable medium; encryption instructions toencrypt the sanitized dataset into encrypted data, said encrypted datastored in a sector of the computer-readable medium; and transmissioninstructions to transmit the encrypted data, in response to the request,to a source, a target, and/or another computer machine and can bedecrypted back into the sanitized dataset.

In accordance with one or more embodiments, a computing platform forfallback control during in-flight data masking and on-demand encryptionof big data on a network can be used. A data store can be coupled to thenetwork and can contain a big data dataset including sensitiveinformation and non-sensitive information. One or more computer nodesand/or cluster manager(s) can have: processor(s) running set(s) ofexecutors; communication interface(s) communicatively coupled to theprocessor(s) and the network, and one or more computer-readable mediacommunicatively coupled to the communication interface(s), thecomputer-readable media storing computer-executable instructions that,when executed by the processor(s), cause one or more computer nodes toexecute tasks in the set(s) of executors related to a request from asource for the big data dataset. The cluster manager(s) can executeinstructions to: store a broad list of available executors that includethe set(s) of executors in the one or more computer node(s); manage theset(s) of executors in the computer node(s); receive the request for thebig data dataset; assign one or more of the executors in the node(s)various task(s) relating to the request for the big data dataset;instruct that the sensitive information in the big data dataset beredacted to create a sanitized dataset that includes the redactedsensitive information and the non-sensitive information; create aplurality of state points corresponding to safe state(s) progressivelyreached by executors after completion of task(s); progressively updatestate points and corresponding safe states as task(s) are completed;progressively revoke prior state points in order to maintain currentstate points and safe states; detect crashed executor(s) and remove themfrom the broad list of available executors to create a reduced list ofavailable executors such that the crashed executor is no longer used;determine any incomplete tasks assigned to the crashed executor based onstate points; transfer incomplete tasks to non-crashed executors in thesame or a different node based on the latest safe state reached, wherebyonly an incomplete portion of the incomplete tasks is further processed;encrypt the sanitized dataset into encrypted data once all of saidsensitive information has been redacted; and the encrypted data can betransmitted, in response to the request, to a source, a target, and/oranother computer machine and can be decrypted back into the sanitizeddataset.

In some embodiments, the computer-readable media for the clustermanager(s) may also include instructions to: authenticate the requestfrom the source for the big data dataset; auto provision a profilecorresponding to the request; assign access rights for the request basedon the profile; define server configuration and data connectioninstructions for the data store containing the big data dataset;securely connect the cluster computer machine to the data store via thecluster communication interface based on the server configuration andthe data connection instructions; register at least one multiple dataobfuscation type; load the big data dataset from the data store into thecluster computer-readable memory via the cluster communicationinterface; and distribute the big data dataset to one or more computernode(s).

In further embodiments, fallback control during in-flight data maskingand on-demand encryption of big data on a network can be implemented byauthenticating, by computer machine(s), a request for a big data datasetbased on credentials received from a source. The machine can be coupledto the network and contain computer-readable memory, which can include alist of executors available for processing the big data dataset, saidlist of available executors stored in a sector of the computer-readablememory. The request can be stored in a sector of the computer-readablememory. The big data dataset can be stored in a data store coupled tothe network, said big data dataset including sensitive information andnon-sensitive information. The computer machine(s) may: auto provision aprofile corresponding to the request, said profile stored in a sector ofthe computer-readable memory; assigning access rights for the requestbased on the profile, said access rights stored in a sector of thecomputer-readable memory; define server configuration and dataconnection properties for the data store containing the big datadataset, said server configuration and said data connection propertiesstored in a sector of computer-readable memory; establishing a secureconnection from the obfuscation computer machine to the data store basedon the server connection and the data connection properties; register atleast one multiple data obfuscation type stored in a sector ofcomputer-readable memory; load into a sector of computer-readablememory, the big data dataset from the data store on the network; searchthe big data dataset for the sensitive information to be redacted;redact the sensitive information in the big data dataset based on saidat least one multiple data obfuscation type and the non-sensitiveinformation; store the sanitized dataset into a sector ofcomputer-readable memory; progressively store last safe state pointsreached during processing of the big data dataset; detect crashedexecutor(s) that crashed during processing of the big data dataset;remove the crashed executor(s) from the list of available executors tocreate a list of non-crashed executors, the list of non-crashedexecutors stored in the computer-readable memory; resubmit one or moreuncompleted portions of one or more incomple task(s) assigned to thecrashed executor to one of said non-crashed executors either on the samenode or on a different node, said uncompleted portion being determinedby the last safe state point reached, whereby only the uncompletedportion needs to be further processed; encrypt the sanitized datasetinto encrypted data, said encrypted data stored in a sector ofcomputer-readable memory; and the encrypted data can be transmitted, inresponse to the request, to a source, a target, and/or another computermachine and can be decrypted back into the sanitized dataset.

In further embodiments, one or more non-transitory computer-readablemedia with computer-executable instructions stored thereon executed byone or more processor( )s) on computer machine(s) can perform fallbackcontrol during in-flight data masking and on-demand encryption of a bigdata dataset stored in a data store on a network, the big data datasetincluding sensitive information and non-sensitive information, thecomputer machine(s) communicatively coupled to the network. Thecomputer-readable media may include: authentication instructions toauthenticate a request for the big data dataset based on credentialsreceived from a source; auto provision instructions to identify aprofile corresponding to the request, said profile stored in a sector ofthe computer-readable medium; access instructions to assign accessrights for the request based on the profile, the access rights stored ina sector of the computer-readable medium; server configuration and dataconnection instructions to define connection properties for the datastore containing the big data dataset, the server configuration and saiddata connection properties stored in a sector of the computer-readablemedium; secure connection instructions to establish a secure connectionfrom the computer machine to the data store based on the serverconnection and the data connection properties; registration instructionsto register at least one multiple data obfuscation type stored in asector of the computer-readable medium; load instructions to load thebig data dataset from the data store on the network into a sector of thecomputer-readable medium; search instructions to search the big datadataset for the sensitive information to be redacted; redactioninstructions to redact into a sanitized dataset the sensitiveinformation in the big data dataset based on said at least one multipledata obfuscation type and the non-sensitive information; diagnosinginstructions to identify RAM requirements and a current RAM allocationfor the computer machine(s); rebate instructions to rebate a portion ofthe current RAM allocation that exceeds the RAM requirements for thecomputer machine(s); detection instructions to detect one or morecrashed executor(s); remove instructions to remove the crashedexecutor(s) from a broad list of available executors to create a reducedlist of available executors such that the crashed executor is no longerused; state point instructions to store recent safe states reachedduring processing; identification instructions to identify anyincomplete tasks assigned to the crashed executor(s); incremental loadinstructions to identify any incomplete portion of any incomplete taskbased on the last safe state reached; transfer instructions to transferthe incomplete portion to an available executor in the reduced list ofavailable executors, whereby only the incomplete portion of theincomplete task needs to be further processed; storage instructions tostore the sanitized dataset into a sector of the computer-readablemedium; encryption instructions to encrypt the sanitized dataset intoencrypted data, said encrypted data stored in a sector of thecomputer-readable medium; and transmission instructions to transmit theencrypted data, in response to the request, to a source, a target,and/or another computer machine and can be decrypted back into thesanitized dataset.

In accordance with one or more embodiments, a multilevel computingplatform for performing in-flight data masking and on-demand encryptionof big data on a network can be utilized. A data store is coupled to thenetwork and contains a big data dataset including sensitive informationand non-sensitive information. The upper lane platform has a pluralityof processors. The lower lane platform has at least one processor.Further, the upper lane and lower lane platforms each respectively haveat least one communication interface communicatively coupled to theprocessors and the network, and a computer-readable memorycommunicatively coupled to the communication interfaces, thecomputer-readable media storing computer-executable instructions that,when executed by the processors, cause platforms to perform variousactions. For example, the upper lane platform can have and executeinstructions to: authenticate a request for the big data datasetreceived via the upper communication interface from a lower laneplatform; auto provision a profile corresponding to the request; assignaccess rights for the request based on the profile; define serverconfiguration and data connection instructions for the data storecontaining the big data dataset; securely connect the upper platform tothe data store via the upper communication interface based on the serverconfiguration and the data connection instructions; register at leastone multiple data obfuscation type; load the big data dataset from thedata store into a sector in the computer-readable memory via the uppercommunication interface; determine a compression codec applied to thebig data dataset; uncompress the big data dataset into uncompressed datablocks based on the compression codec, said uncompressed data blocksstored in a sector in the computer-readable memory; distribute theuncompressed data blocks to the plurality of upper processors forsanitization; search the big data dataset for the sensitive informationto be redacted; redact into a sanitized dataset the sensitiveinformation in the big data dataset based on said at least one multipledata obfuscation type and the non-sensitive information; store thesanitized dataset in a sector of the computer-readable memory; encryptthe sanitized dataset into encrypted data in a sector of the uppercomputer-readable memory; and transmit the encrypted data to the lowerlane platform via the upper communication interface. Further, the lowerlane platform can have and execute instructions to: transmit the requestfor the big data dataset via the lower communication interface to theupper platform; receive the encrypted data via the lower communicationinterface from the upper platform; store the encrypted data in a sectorof the computer-readable memory; decrypt the encrypted data into thesanitized dataset; and store the sanitized dataset in a sector of thecomputer-readable medium.

In some embodiments, the distribution of the uncompressed data blocks tothe plurality of upper processors for sanitization can be performed byan orchestration service.

In some embodiments, the compression codec can be determined by readinga plurality of initial bytes of a file in the big data dataset.

In some embodiments, the compression codec can be Gzip, Bzip2, Snappy,or LZO.

In some embodiments, the uncompressed data blocks can be at least 128MB.

In other embodiments, one or more non-transitory computer-readable mediacan have computer-executable instructions stored thereon executed by aplurality of processors on a computer machine communicatively coupled toa network can be used to perform in-flight data masking and on-demandencryption of a big data dataset stored in a data store on the networkwherein the big data dataset includes sensitive information andnon-sensitive information. The computer-executable instructions caninclude: authentication instructions to authenticate a request for thebig data dataset based on credentials received from a source; autoprovision instructions to identify a profile corresponding to therequest, said profile stored in a sector of the computer-readablemedium; access instructions to assign access rights for the requestbased on the profile, said access rights stored in a sector of thecomputer-readable medium; server configuration and data connectioninstructions to define connection properties for the data storecontaining the big data dataset, the server configuration and dataconnection properties stored in a sector of the computer-readablemedium, secure connection instructions to establish a secure connectionfrom the computer machine to the data store based on the serverconnection and the data connection properties; registration instructionsto register at least one multiple data obfuscation type stored in asector of the computer-readable medium; load instructions to load thebig data dataset from the data store on the network into a sector of thecomputer-readable medium; codec instructions to determine a compressioncodec applied to the big data dataset; uncompress instructions touncompress the big data dataset into uncompressed data blocks based onthe compression codec, said uncompressed data blocks stored in a sectorin the computer-readable memory; distribution instructions to distributethe uncompressed data blocks to the plurality of processors forsanitization; search instructions to search the big data dataset for thesensitive information to be redacted; redaction instructions to redactinto a sanitized dataset the sensitive information in the big datadataset based on the at least one multiple data obfuscation type and thenon-sensitive information; storage instructions to store the sanitizeddataset into a sector of the computer-readable medium; encryptioninstructions to encrypt the sanitized dataset into encrypted data, saidencrypted data stored in a sector of the computer-readable medium; andtransmission instructions to transmit the encrypted data, in response tothe request, to a source, a target, and/or another computer machine andcan be decrypted back into the sanitized dataset.

In further embodiments, in-flight data masking and on-demand encryptionof big data on a network can be performed by a computer machine that: iscoupled to the network, has a plurality of processors, and containscomputer-readable memory. A request for a big data dataset can bereceived and stored in a sector of the computer-readable memory. The bigdata dataset can be stored in a data store coupled to the network andcan include sensitive information and non-sensitive information. One ormore steps can be implemented to achieve the desired goals by:authenticating, by the computer machine, a request for a big datadataset based on credentials received from a source; auto provisioning,by the obfuscation computer machine, a profile corresponding to therequest, said profile stored in a sector of the computer-readablememory; assigning, by the computer machine, access rights for therequest based on the profile, said access rights stored in a sector ofthe computer-readable memory; defining, by the computer machine, serverconfiguration and data connection properties for the data storecontaining the big data dataset, said server configuration and said dataconnection properties stored in a sector of computer-readable memory;establishing, by the computer machine, a secure connection from theobfuscation computer machine to the data store based on the serverconnection and the data connection properties; registering, by thecomputer machine, at least one multiple data obfuscation type stored ina sector of computer-readable memory; loading, by the computer machineinto a sector of computer-readable memory, the big data dataset from thedata store on the network; detecting, by the computer machine, acompression codec for the big data dataset; uncompressing, by thecomputer machine, the big data dataset into uncompressed data blocksbased on the compression codec, said uncompressed data blocks stored ina sector in the computer-readable memory; distributing, by the computermachine, the uncompressed data blocks to said plurality of processorsfor sanitization; searching, by the computer machine, the big datadataset for the sensitive information to be redacted; redacting into asanitized dataset, by the computer machine, the sensitive information inthe big data dataset based on said at least one multiple dataobfuscation type and the non-sensitive information; storing, by thecomputer machine into a sector of computer-readable memory, thesanitized dataset; encrypting, by the computer machine, the sanitizeddataset into encrypted data, said encrypted data stored in a sector ofcomputer-readable memory; and the encrypted data can be transmitted, inresponse to the request, to a source, a target, and/or another computermachine and can be decrypted back into the sanitized dataset.

In various embodiments, computer machine(s), obfuscation computermachine(s), node(s), cluster(s), and cluster manager(s) may be in eitherupper platform(s)/lane(s) or lower platform(s)/lane(s) in a multilevelcomputing environment. Similarly, the request for the big data datasetcould originate from a source in the upper platform/lane or lowerplatform/lane. And, some or all of the functionality in one lane of theplatform as opposed to the other lane of the platform could be switchedas desired.

In various embodiments, redaction during in-flight data masking andon-demand encryption of big data on a network can be performed using apre-defined mask, using random generation, and/or using regularexpression obfuscation. If desired, the regular expression obfuscationcan be used to capture pattern values and replace the pattern valueswith a replacing value format.

In various embodiments, encryption can be performed using Data Lakeencryption, using a Base64 algorithm, using a text-to-binary scheme,and/or using any other desired encryption algorithm or method.

In various embodiments, safe state setpoint(s) can be set to keep trackof one or more latest safe states reached during processing beforedetection of a crash such that only the incomplete portion of a taskneeds to be resubmitted and/or distributed for further processing,thereby obviating the need to completely re-execute a failed task.Setpoints and states may be progressively revoked as task(s) aresuccessfully processed.

In various embodiments, fault handling algorithm(s) may be implementedand/or a fall back controller or fall back control can be used to stopin-memory batch processing if a fault occurs.

In various embodiments, all executors in a computer node may be removedfrom a broad list of available executors if any crashed executor isdetected within the computer node. Alternatively, only the crashedexecutor could be removed from the broad list and the remainingnon-crashed executors within the node can remain available forprocessing.

In various embodiments, a smart assist regression algorithm or othersuitable algorithm can be used to predict an optimal RAM allocation.And, RAM in excess of the optimal allocation can be released.

In various embodiments, RAM requirements and a current RAM allocationfor computer machine(s) can be diagnosed. And, portion(s) of the currentRAM allocation that exceed the RAM requirements for the machine(s) canbe rebated.

In various embodiments, resource allocation can be diagnosed, and RAMrebate(s) could be initiated as desired to optimize memory usage andperformance.

In various embodiments, categories of data for obfuscation can becataloged.

In various embodiments, one or more post processing reports can begenerated and stored in a sector of computer-readable memory. Samplereports may include an obfuscation summary report, a data processingsummary report, a data forensics report, and/or a resource leakagereport. Combination or alternative reports may be generated as well.

Implementations of various aspects of this disclosure can vary dependingon the preferences of system engineers and programmers, all of whichwould be within the knowledge of a person of ordinary skill in the artand could be implemented by such a person without undue experimentationby using custom and/or commercially available software. Althoughspecific examples have been suggested for certain aspects of thedisclosure, other implementations can be substituted without departingfrom the spirit of the invention contained in this disclosure and allare considered within the scope of the invention and claims.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIGS. 1A, 1B, and 1C depict an illustrative computing environment, inaccordance with one or more environments, for handling big data byefficiently allocating and rebating resources such as RAM; obfuscatingNPI data when transferring data and tasks from upper lanes and lowerlanes; isolating computers, clusters, nodes, cores, and/or executorsthat fail; efficiently transferring state information and tasks fromfailed computers, clusters, nodes and/or executors to others in order tooptimize completion of jobs and tasks without having to completelyre-execute them again in the event of a fault; providing fallbackcontroller processes for detected faults; and hyper fencing files on anetwork and uncompressing of them before distributing or assigning toone or more cores; and providing a variety of post process reports suchas obfuscation summary reports, data processing summary reports, dataforensics reports, and resource leakage reports.

FIG. 2 depicts an illustrative method for big data obfuscating inaccordance with one or more example embodiments;

FIG. 3 depicts an illustrative method for hyper fencing in accordancewith one or more example embodiments;

FIG. 4 depicts an illustrative method for fallback controlling inaccordance with one or more example embodiments;

FIGS. 5 and 6 depict illustrative methods for resource allocation andrebating in accordance with one or more example embodiments;

FIGS. 7 and 8 depict illustrative methods for handling faults inaccordance with one or more example embodiments; and

FIGS. 9, 10, 11, and 12 respectively depict sample post process reportssuch as an obfuscation summary report, a data processing summary report,a data forensics report, and a resource leakage report.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the present disclosure.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

As used throughout this disclosure, computer-executable “software anddata” can include one or more: algorithms, applications, applicationprogram interfaces (APIs), attachments, big data, daemons, emails,encryptions, databases, datasets, drivers, data structures, file systemsor distributed file systems, firmware, graphical user interfaces,images, instructions, machine learning, middleware, modules, objects,operating systems, processes, protocols, programs, scripts, tools, andutilities. The computer-executable software and data is on tangible,computer-readable memory (local, in network-attached storage, orremote), can be stored in volatile or non-volatile memory, and canoperate autonomously, on-demand, on a schedule, and/or spontaneously.

“Computer machines” can include one or more: general-purpose orspecial-purpose network-accessible administrative computers, clusters,computing devices, computing platforms, desktop computers, distributedsystems, enterprise computers, laptop or notebook computers, mastercomputers, nodes, personal computers, portable electronic devices,servers, slave computers, smart devices, tablets, and/or workstations,which have one or more microprocessors or executors such as forexecuting or accessing the computer-executable software and data.References to computer machines and names of devices included withinthis definition are used interchangeably in this specification and arenot considered to be limiting or exclusive to only a specific type ofdevice. Instead, references in this disclosure to computer machines andthe like are to be interpreted broadly as understood by skilledartisans. Further, as used in this specification, computer machines alsoinclude all hardware and components typically contained therein such as,for example, processors/executors/cores 111, volatile and non-volatilememories 112, communication interfaces 113, etc.

Volatile and non-volatile memories may be comprised of one or morecomputer-readable media containing a plurality of sectors. As usedherein, a “sector” is broadly defined as subdivision(s) or block(s) ofmemory and is not limited to the minimum storage unit of a hard drive orother computer-readable medium. Further, the sector may have a fixedsize or may be variable.

Computer “networks” can include one or more local area networks (LANs),wide area networks (WANs), the Internet, wireless networks, digitalsubscriber line (DSL) networks, frame relay networks, asynchronoustransfer mode (ATM) networks, virtual private networks (VPN), or anycombination of any of the same. Networks also include associated“network equipment” such as access points, ethernet adaptors (physicaland wireless), firewalls, hubs, modems, routers, and/or switches locatedinside the network and/or on its periphery, as well as softwareexecuting on any of the foregoing.

FIGS. 1A, 1B, and 1C depict illustrative sample computing environments,in accordance one or more example embodiments, for handling big data,efficiently allocating and rebating resources such as RAM, obfuscatingNPI data when transferring data and tasks from upper lanes (e.g.,production platforms) and lower lanes (e.g., development platforms),isolating computers or executors that fail, efficiently transferringstate information and tasks from a failed computer or executor toanother, providing fallback controller processes in event of faults,hyper fencing files on a network and uncompressing before distributionor assigning to one or more cores, and providing a variety of postprocess reports such as obfuscation summary reports, data processingsummary reports, data forensics reports, and resource leakage reports.

Referring to FIG. 1A, computing environment 100 may include one or morecomputer machines or systems. For example, computing environment 100 mayinclude various computer machines such as one or more masters and/orslaves 110 for distributed processing, obfuscation computer machine(s)115, upper lane(s) 116 (e.g., production platforms), lower lane(s) 117(e.g., development regions, system integration testing regions, useracceptance testing regions, application vulnerability testing regions,etc.), an enterprise data storage platform 120, enterprise computinginfrastructure 130, an enterprise user computing machine 140, anadministrative computing machine 150, and an enterprise computer system160. As illustrated in greater detail below, each element in computingenvironment 100 may include one or more computing machines andassociated components operating computer software and data configured toperform one or more of the functions described herein.

In addition, and as illustrated in greater detail below, master andslave computing machine(s) 110, obfuscation computer machine(s) 115,upper lane(s) 116, and/or lower lane(s) 117, may be configured toperform various distributed processing functions described herein aswell as store, access, and/or act on enterprise data. Enterprisecomputing infrastructure 130 may include one or more computer machinesand/or other computer components. In addition, and as illustrated ingreater detail below, enterprise computing infrastructure 130 may beconfigured to provide various enterprise and/or back-office computingfunctions for an organization, such as a financial institution. Forexample, enterprise computing infrastructure 130 may include variouscomputer machines and/or computer-executable software and that storeand/or otherwise contain account information, such as financial accountinformation including account balances, transaction history, accountowner information, and/or other information. In addition, enterprisecomputing infrastructure 130 may process and/or otherwise executetransactions on specific accounts based on commands and/or otherinformation received from other computer systems included in computingenvironment 100. Additionally or alternatively, enterprise computinginfrastructure 130 may load data from enterprise data storage platform120, manipulate and/or otherwise process such data, and return modifieddata and/or other data to enterprise data storage platform 120 and/or toother computer machines or systems included in computing environment100.

Enterprise user computing device 140 may be any type of computer machineand may be linked to and/or used by a specific enterprise user (who may,e.g., be an employee or other affiliate of an enterprise organizationcontrolling and/or interacting with master and slave computing device(s)110). Administrative computing device 150 may be any type of computermachine and may be linked to and/or used by an administrative user (whomay, e.g., be a network administrator of an enterprise organizationcontrolling and/or interacting with master and slave computing device(s)110). Enterprise computer system 160 may be any type of computer machineand may be linked to and/or used by one or more external users (who may,e.g., not be associated with an enterprise organization controllingand/or interacting with master and slave computing device(s) 110).

Computing environment 100 also may include one or more networks, whichmay interconnect one or more of master and slave computer machine(s)110, obfuscation computer machine(s) 115, upper lane(s) 116, and/orlower lane(s) 117, enterprise data storage platform 120, enterprisecomputing infrastructure 130, enterprise user computing device 140,administrative computing device 150, and enterprise computer system 160.For example, computing environment 100 may include a private network 170(which may, e.g., interconnect master and slave computer machine(s) 110,obfuscation computer machine(s) 115, upper lane(s) 116, and/or lowerlane(s) 117, enterprise data storage platform 120, enterprise computinginfrastructure 130, enterprise user computing device 140, administrativecomputing device 150, and/or one or more other computer machines orsystems, which may be associated with an organization, such as afinancial institution), and public network 180 (which may, e.g.,interconnect enterprise computer system 160 with private network 170and/or one or more other computer machines, systems, public networks,sub-networks, and/or the like).

In one or more arrangements, computer machines and the other systemsincluded in computing environment 100 may be any type of computingdevice capable of providing a user interface, receiving input via theuser interface, acting on the input, accessing or processing big data,controlling other computer machines and/or components thereof based onthe input, and communicating the received input to one or more othercomputing machines. As noted above, and as illustrated in greater detailbelow, any and/or all of the computer machines of computer environment100 may, in some instances, be special-purpose computing devicesconfigured to perform specific functions.

Referring to FIG. 1B, one or more computer machines or platforms 190,such as, for example, any of those identified in FIG. 1A, may includeone or more processors 111, memory 112, and communication interface 113.A data bus may interconnect processor 111, memory 112, and communicationinterface 113. Communication interface 113 may be a network interfaceconfigured to support communication between one or more computermachines in computer environment 100 and one or more networks (e.g.,private network 170, public network 180, or the like). Memory 112 may bevolatile or non-volatile, and may include computer software and datasuch as, for example, one or more program modules having instructionsthat when executed by processor 111 cause a computer machine, such asmaster and/or slave computer machine(s) 110, obfuscation computermachine(s) 115, upper lane(s) 116, and/or lower lane(s) 117, to performone or more functions described herein and/or one or more databases orother distributed file systems that may store and/or otherwise maintaininformation which may be used by such program modules and/or processor111. In some instances, one or more program modules and/or databases maybe stored by and/or maintained in different memory units (local oraccessible across the network) of computer machine 190 and/or bydifferent computing devices that may form and/or otherwise make up acollection of computer machines. For example, memory 112 may have,store, and/or include a obfuscation module 112 a, big data ordistributed file systems 112 b, NPI data 112 c, a resource allocationand rebate module 112 d, a fault handling module 112 e, a fallbackcontroller module 112 f, a state handling module 112 g, a hyper fencemodule 112 h, and one or more report generation modules 112 i.

In some embodiments, obfuscation module 112 a may be an adaptiveapplication that performs in-flight data masking and on-demand data lakeencryption, which facilitates scalability and failover. It can bedeployed in a single-tier or two-tier architecture and can beself-contained. It can perform extraction, obfuscation, and loading fromdisparate sources of big data, databases, and legacy relationaldatabases. Multiple obfuscation techniques can be deployed and managedby different services implementing a distributed algorithm with anagent's controller/services that directs endpoint functionality,catalogs locations of sensitive NPI data, and tracks masked data jobs.Obfuscation module 112 a may utilize different obfuscation techniquesthat are used in multi-structures embedded redacting, and may includeencryption, predefined masks, random generation, and regular expression.Encryption may be through a Base64 algorithm or other as desired.Encryption text-to-binary schemes may be used to maintain referentialintegrity such as with a foreign key. Predefined masks are masksprovided with the application in order to expedite the obfuscationprocess with common obfuscation cases. Random generation is anobfuscation method to randomly generate values from any of thepredefined mask categories, or to create random values based on datatypes. Regular expression obfuscation is used to capture patterns invalues and replace them with a replacing value format that can be set bythe user, administrator, or programmer in a replacing value formatfield.

The agent's controller refers to any type of orchestration service thatcan coordinate processes in an application manager. Cataloging candenote a list of various NPI data that may be contained in tables orother configurations in the software and data, which are ready forobfuscation. This need not be a separate silo process and, instead, canbe part of masking rules or obfuscator types, and the jobs can betracked by process IDs.

Other modules such as, for example, resource allocation and rebatemodule 112 d, fault handling module 112 e, a fallback controller module112 f, a state handling module 112 g, hyper fence module 112 h, andreport generation modules 112 i are described in more detail below inreference to other figures.

FIG. 2 depicts an illustrative method for big data obfuscating inaccordance with one or more example embodiments. In some embodiments, auser can login and provide credentials via one or more various protocolssuch as, for example, active directory (AD) or lightweight directoryaccess protocol (LDAP) in step 201. In step 202, an auto provisioningrole for the logged in user is assigned and a user profile can beloaded. This can identify a group to which the user belongs (e.g.,administrator, standard user, etc.) and the level of access that can begranted within the application based on the rights available to membersof the assigned group.

In step 203, server configuration and data connection properties aredefined. Data connection properties can be used to establish aconnection to one or more applicable databases, data stores, and/ordistributed file systems. Sample fields for connecting can include: aconnection name (to name the connection for setup), a database (todefine the database name), and a server configuration (to define aserver network location, port address, etc.). Secure Shell or SecureSocket Shell (i.e., SSH) cryptographic hashing can be used to providesecurity.

In step 204, registration is performed with a multiple data obfuscatorfor redaction. Here, the application provides support to registermultiple data obfuscation types such as on-demand encryption throughBase64 and/or an encryption text-to-binary scheme that maintainsreferential integrity, random generation of characters for replacement,predefined masking for popular categories such as names, addresses, orcredit cards, and regular expressions to define masking of data fortypical circumstances.

In step 205, one or more various selected masking rules can be appliedand obfuscation of NPI in big data can be triggered. As referencedpreviously, NPI (e.g., social security numbers, personal banking accountnumbers, personal transactions etc.) is highly confidential and cannotbe shared with the public or in lower lane development and can be maskedby the above-mentioned masking rules or the obfuscation types. One-waymasking can be applied when copying from an upper lane productionenvironment to a lower lane development environment where unmasking thedata is not necessary. Unmasking can also be supported by differentmethodologies to transform the masked data back into its originalformat. Determinations can be catalogued for column level selections indata tables based on a user's choice and obfuscation can be applied onthe fly towards the lower environment.

In some embodiments, step 206 can diagnose resource allocations andinitiate resource rebates for obfuscation such as, for example, by asmart assist RAM rebate (SARR). A more detailed explanation of sampleresource allocations and rebates is explained later in this disclosure.

In some embodiments, step 207 can implement a custom-speculative cagehandler and/or other fault handling and isolation algorithm to detectfaults, isolate faults, and transfer prosecution of tasks from oneexecutor to another executor in the cluster.

As illustrated in FIG. 1C, executor(s) 1311, 1312, 1321, 1322, are oneor more processes launched for an application on a worker node 1310,1320, that runs tasks (e.g., Tasks A-M) and keeps data in memory or diskstorage across them. A computer cluster 1300 is a set of loosely ortightly connected computers that work together so that, in manyrespects, they can be viewed as a single system. Unlike grid computers,computer clusters have each node set to perform various tasks,controlled and scheduled by software, such as a cluster manager 1301. Anode is a device or data point in a larger network.

Tasks to be transferred can be transferred from a safe state point suchthat the entire task does not need to be re-executed from the beginningand only the remaining items to be performed in the task need to betransferred to an operable executor within the same or adjacent node inthe cluster. A more detailed explanation of various embodiments ofsample fault handling is provided below in reference to other figures.

In step 208, a multi-structures embedded redactor is running andmonitoring the progress of various jobs or tasks at frequent intervalssuch as, for example, every 10 milliseconds. The timing and monitoringmay be controlled by applicable scripts.

If a job fails to complete, then, in step 209, a fall back controllercan perform a graceful and safe stoppage on in-memory processing of abatch process. A more detailed explanation of various embodiments ofsample fall back controlling is provided below in reference to otherfigures.

Otherwise, in step 210, obfuscation is performed through the usage ofone or more various Java APIs or the like. Data can be distributed inblocks across partitions and split into clusters while computing. And,for each column level a masking rule or obfuscator type can be appliedover the corresponding values when migrated from a source location to atarget location. In-flight obfuscation with Data Lake on-demandencryption from disparate sources may be used. In this context, DataLake means that, unlike purpose-built data stores and databasemanagement systems, data may be dumped in its original format, may beunmanaged, and may be available to one or more individuals across anenterprise.

In step 211, data is sanitized from multiple big data productionplatforms to lower lanes. This refers to accessing the productionenvironment, establishing a connection to the relevant database tablesfor extraction, and registering with defined obfuscation methods overthe column level data from the source location. The multi-structuresembedded redactor is triggered to obfuscate the selected data andtransfer it to lower lane environments. This can be accomplished throughhyper fencing, which is describe in detail below with respect to otherfigures.

In step 212, post process reports can be generated such as illustratedin FIGS. 9, 10, 11, and 12. As shown in FIG. 9, an obfuscation summaryreport 900 can display the percentage of columns obfuscated by aparticular table mapping or obfuscation type, and can include detailssuch as: table mapping (the name of the table mapping) 902, User ID (theuser who creates the table mapping) 904, and obfuscation percentage (thepercentage of columns being obfuscated per table mapping definition)906.

In addition or alternatively, as shown in FIG. 10, a data processingsummary report 1000 can display the results from a data processing joband its details such as: Job Id—for tracking purposes 1002, thegenerated job identification number for the obfuscation job 1004;Mapping Name—the mapping definition of each column registering withobfuscator types or masking rules 1006; From Cluster—the source cluster1008; To Cluster—the target cluster 1010; Starting Time—the time anddate the obfuscation job was started 1012; End Time—the time and datethe obfuscation job ended 1014; Total Rows—the total number of rows thatwere processed in the obfuscation job 1016; User Id—the user who startedthe obfuscation job 1018; and/or Service Id—the Service ID correlatedwith the user who ran the obfuscation job 1020. If successful, theprocess can end. Otherwise, the process can be repeated in whole or inpart by returning to step 201.

In addition or alternatively, as shown in FIG. 11, a data forensicsreport 1100 can display forensic details such as Job Id—for trackingpurposes 1102, the generated job identification number for theobfuscation job 1104, the Mapping Name—the mapping definition of eachcolumn registering with obfuscator types or masking rules 1106, FromCluster—the source cluster 1108, To Cluster—the target cluster 1110,Starting Time—the time and date the obfuscation job was started 1112,End Time—the time and date the obfuscation job ended 1114, Recent DataSize—the data size captured that had been migrated from the previousactivity 1116, Delta Load Size—the incremental data size captured forprocess submission(s) 1118, CPU Snapshot—captures CPU statisticsinvolved in the process for recent data migration 1120, RAMSnapshot—captures RAM statistics involved in the process for recent datamigration 1122, Disk Snapshot—captures disk statistics involved in theprocess for recent data migration 1124, and Reliability Factor—factorresembles by denoting number of times the same migration got triggeredby any user 1126.

In addition or alternatively, as shown in FIG. 12, a resource leakagereport 1200 can include a Job Id—for tracking purposes 1202, Job No.—thegenerated job identification number for the obfuscation job 1204,Mapping Name—the mapping definition of each column registering withobfuscator types or masking rules 1206, From Cluster—the source cluster1208, To Cluster the target cluster 1210, Starting Time—the time anddate the obfuscation job was started 1212, End Time—the time and datethe obfuscation job ended 1214, Crash Indicator—indicator(s) thatrepresent number of crashes occurred in the job 1216, and a RevivalNo.—number of revivals offered for new executors added in the job.

FIG. 3 depicts an illustrative method for hyper fencing in accordancewith one or more example embodiments. This can determine the in-memoryprocessing framework to hyper fence any type of files on network anduncompress them before sending to any single core, other component, orother computer machine. A processor core (or simply “core”) is anindividual processor within a CPU. Many computers today have multi-coreprocessors, meaning the CPU contains more than one core.

Hyper fencing refers to halting files entering into cores or the likefor processing and initial decompression for each individual tiny file.The algorithm can initiate an API call, which involves methods orfunctions such as FileInputStream, FileOutputStream andInflaterInputStream to decompress the files. Distribution of data blocksto individual cores can be performed through an orchestration service,which handles processing of jobs. This solves the problem of large spansof time being wasted in cores or the like by unzipping files in sequenceif the input data files are in multiple fragments to avoid the resultantcached distributed datasets with multiple tiny partitions. Data isdistributed in blocks across partitions and split in the cluster whilecomputing. Masking rules or obfuscator types can be applied on a columnlevel or the like over corresponding values when migrated from a sourcelocation to a target location. Input files can be of any type andstructure as they may originate from disparate sources. If the inputfile is found to be with multiple fragments or many tiny filesinternally, then, processing may result in heavy utilizing of the coresor the like. This is time consuming in distributed cluster computing andis a performance penalty.

In step 302, the total compressed file size available for a process canbe determined. The file size can be the sum of uncompressed files perpartition sizes. In step 304, the type of compression codec applied overthe data can be determined. The type of compression codec can bedetermined by reading the first few bytes of the file or by using anoperating system utility to identify the compression codec for instance:“file” Command “file tmp.txt.gz” in Linux environments to determine thecompression codec. In big data, the following are the most commonly usedcodecs: Gzip (a compression utility that was adopted by the GNUproject); Gzip (short for GNU zip, generates compressed files that havea .gz extension, the gunzip command is also used to decompress filesthat were created by a number of compression utilities, including Gzip);Bzip2 (from a usability standpoint, Bzip2 and Gzip are similar, Bzip2generates a better compression ratio than does Gzip, but it is muchslower); Snappy (this codec from Google provides modest compressionratios, but fast compression and decompression speeds and, in fact, ithas the fastest decompression speeds, which makes it highly desirablefor data sets that are likely to be queried often); and LZO (similar toSnappy, LZO provides modest compression ratios, but fast compression anddecompression speeds).

If successfully identified, the data form factor can be uncompressed instep 306. Otherwise, the process or a modified version thereof can berepeated in step 302. The uncompressed file can be split into any number(“n”) blocks up to an arbitrary limit such as, for example, 128 MB. Onetask could be assigned for each input split. In any cluster, computingdata can be segregated into small chunks known as data blocks. Datablocks can be the smallest unit of data in an underlying file system.Since the underlying file system stores files as blocks with a minimumsize as per a standard, this can be the defined block size or data chunkinvolved in the cluster computing.

From a pseudo code perspective, sample hyper fencing could be consideredas follows.

-   1. Determine Total Compressed File size available for Process    -   File size=Sum of (Uncompressed file per partitions size)-   2. Finding type of Compression codec applied over the data    -   io.compression.codec(gzip/lz4/lzf/snappy)    -   getCodecName(conf: ValConf): String-   3. Uncompressing the data form factor    -   sqlContext.setConf(“sql.parquet.compression.codec”,        “uncompressed”)-   4. Splitting into ‘n’ data chunks up to 128 MB from the uncompressed    files    -   N=1 task per input split

FIG. 4 depicts an illustrative method for fallback controlling inaccordance with one or more example embodiments. Fallback controlling isthe use of heuristic process(es) deployed to specify a graceful stoppingpoint and separation of duties from the respective process against oneor more obfuscation/transfer processing components. Heuristic methodscan be used to speed up the process of finding a satisfactory solution.Heuristics can be shortcuts that ease the technical cognitive load ofmaking a decision. These services engage roll back protocols andreinstate the framework by ceasing batch jobs that are in progress andreducing the target system downtime. Any critical stoppage due to thedisparate sources can be handled and mitigated. Accordingly, in step402, a determination is made of all batch processes running againstcurrent data migration. In step 404, a roll back threat investigator canbe initiated.

In step 406, state points for jobs or the like can be created atprogressive time intervals through a task process. Each prior statepoint can be revoked as time progresses as task steps are completed inorder to facilitate data migration. State points, which contain reliabledata content at certain points in time, are responsible for updating anymovement in new data or updated data while migrating from memory suchas, for example, a RAM buffer cache, to the target location and/or lowerlanes as the job is divided from a long transaction into smaller parts.State point data can be created at different time intervals withcorresponding time stamp data sizes and user ids while denoting therelevant processes such as (Start/Running/On-Hold/Completed). Statepoint data keeps the buffer cache or the like and correspondingdatafiles synchronized. This synchronization is part of the mechanismwhich ensures that data can be recovered due to any process fault. It isalso an important activity which can record system change(s) so thatdata blocks less than or equal to the state point data are known to bewritten out to the data files after initiating the recovery process. Ifthere is a failure and then subsequent cache recovery, only the redorecords containing changes at higher than the state point data need tobe applied during recovery. This obviates the need to re-compute entiretasks or jobs, and thereby substantially increases system performance.

In step 408, data migration metrics can be collected. Each categorycould include the new load and the incremental load. Data migration inthis context is the process of selecting, extracting, applyingobfuscation rules and masking data by transferring from upper lanes(e.g., production platforms) to lower lanes (e.g., development regions,system integration testing regions, user acceptance testing regions,application vulnerability testing regions, etc.). After a fault, theresidual or left out data that was processed can be transferred frommemory, such as a RAM buffer, to the respective target location.However, if a target location becomes inaccessible, then the buffer datacan be kept in the dedicated soft storage (i.e., temporary storage areafor data with its last state point) and copied into target location oncethe servers are back online.

Data migration metrics can be collected through audit logs, which cansave some or all of the records for an event that is transpiring in thesystem. In addition to saving what resources were accessed, audit logentries can also include destination and source addresses, timestamps,and user login information. They can be stored in the table (row/column)format or the like, which can be examined through earlier jobsubmissions and its base metrics that can include the size of the data,RAM allocated, Disk I/O, storage memory, cache memory, and Java virtualmachine memory or the like.

Full and new load information can be a set of all new data inserted frominitiation, whereas the incremental load can be a set of new records andupdated ones inserted to the existing data and can be determined byupdated timestamp fields. The main attributes for calculating the loadare checksum and timestamp fields. Checksums are typically used tocompare two sets of data to make sure they are the same. It is a sumthat checks the validity of data. A timestamp field or the like is asequence of characters when a certain event occurred, with date and timeof day, and can be accurate to a small fraction of a second.

In step 410, the roll back threat investigator can evaluate a transferindicator count, which could be the total number of rows in a sourceminus the total number of rows in a target. If the transfer indicator isgreater than zero, then, the transfer is complete and data migrationaudit logs can be updated in step 412. If the transfer indicator is notgreater than zero, then a fault has occurred and, in step 414, othersub-batch jobs can be gracefully and safely stopped, and componentseparation duties can be enabled. The roll back threat investigator canbe a daemon or thread process which does periodic checking for timeinterval “t” on the job state if it had any termination. Posttermination it takes care of applying the roll back protocols andsoftening the stoppage gracefully.

In step 416, loads for various applicable processes can be incrementallyremoved. This is the deletion of some or all of everything that occurredafter the last applicable state point. Stated differently, incrementalversions that are redundant as identified by the state point data can beremoved in whole or part. This enhances obfuscated data life cyclemanagement to prevent data deletion. This means that there is no datadeletion for everything up to the state point. It protects valid datafrom deletion from memory such as, for example, in a RAM buffer cache,and reduces further processing efforts, since the task does not need tobe performed again from the beginning in its entirety.

In step 418, transient soft storage (i.e., temporary volatile memory)can be utilized to copy the new load with obfuscated pending data. Instep 420, the connection establishment to target system can be revivedwith a number of attempts for each time interval. If revival was notsuccessful, the load from the transient soft storage copy to the targetsystem can be performed in step 422, and state points could be createdagain in step 406. Otherwise, the fallback process can complete.

From a pseudo code perspective, sample fallback control could beconsidered as follows.

-   -   1. Identify all batch processes running against current Data        migration.    -   2. Initiate Roll Back Threat Investigator    -   3. State Point creation for different intervals        -   (Start/Running/Other Zombie process)        -   Revoking recent State Points to initiate data migration    -   4. Collect Data Migration metrics        -   Category=(New Load+Incremental Load)    -   5. Roll Back Threat Investigator        -   Txfr Indicator>0        -   Txfr Indicator=(Total No. of Rows in Source−Total No. of            rows in Target)    -   6. Transfer Completion & Updating Data Migration Audit Logs    -   7.—If No, Graceful stoppage of other sub-batch jobs and        component separation duties enabled    -   8.—If Yes,        -   (a) Granting incremental load removal from zombie processes        -   (b) Initiating transient soft storage to copy new load            Obfuscated pending data        -   (c) Reviving Connection establishment to Target System to            load transient soft storage copy

FIGS. 5 and 6 depict illustrative methods for resource allocation andrebating in accordance with one or more example embodiments. As can beseen by the names of the various steps in FIGS. 2 and 5, many of thesteps correspond to one another and are not repeated herein for brevity.These steps include verifying user credentials 201/501, autoprovisioning 202/502, defining server configurations 203/503,registering with multiple data obfuscators for redaction 204/504,applying various selected masking rules 205/505, diagnosing resourceallocations and rebates 206/506, running multi-structures embeddedredactor 208/507, Java or the like TCP/IP interactions 210/508, datasanitization 211/509, and post process report generation 212/510.However, in FIG. 5, after the multi-structures embedded redactor isrunning and monitoring the progress of various jobs or tasks at frequentintervals such as, for example, every 10 milliseconds, the processreturns to step 504 in the event of a negative output.

In FIG. 6, resource allocation and rebate processes first determine instep 602 the total available nodes, cores, and RAM in a cluster. In step604, the number of cores and/or executors and size of RAM allocated,excluding overhead, is evaluated.

In step 606, the number of cores can be determined to be the number ofcurrent tasks assigned per executor. The total number of executors canbe determined to be equal to the total number of cores per node dividedby the number of cores-per-executor, minus 1, multiplied by the totalnumber of nodes. The RAM overhead can be determined to be the maximumRAM multiplied by 7% (or another suitable percentage) multiplied by theexecutor memory. The size of RAM per executor can be calculated to bethe total size of the RAM divided by the number of executors per node,minus the RAM overhead.

In step 608, the value for the memory per job can be determined. “Mem”can be calculated to be the driver memory plus “X” MB plus the productof the number of executors multiplied by the sum of the executor memoryplus “X” MB.

In step 610, the memory reads a namenode to determine the total memoryand the memory used. The memory may be in YARN (yet another namenode) orany other resource management and job scheduling technology. A Boolean“val” variable is set to equal true if the memory total minus the memoryused is greater than “Mem.” If true, the process proceeds to step 612;otherwise, it returns to step 602 to repeat the analysis.

In step 612, the benchmark audit logs table is analyzed to determinestorage memory and shuffle write per job modeling through a smart assistregression algorithm, which is a custom machine learning model used topredict an optimal value involved in RAM allocation and is trained basedon historical records. In the model, the independent variables mayinclude the size of the data, Disk I/O, Storage memory, Cache Memory,Java virtual machine memory, and any other applicable memory. Thedependent variable will be the amount of allocated RAM. The smart assistregression is thus Y=X1+X2+X3+X4+X5, wherein Y is the RAM allocated, X1is the data size, X2 is the Disk I/O, X3 is the storage, X4 is the CacheMemory, and X5 is the Java virtual machine memory.

In step 614, the obfuscator initiates the same job for any delta orincremental loads for the same dataset.

In step 616, if the shuffle write is greater than zero, then the processsets shuffle.memoryFraction to 1 and storage.memoryFraction to zero.

In step 618, if shuffle write equals zero and the storage memory isfull, then the set number of executors is greater than the incremental.

FIGS. 7 and 8 depict illustrative methods for handling faults inaccordance with one or more example embodiments.

As can be seen by the names of the various steps in FIGS. 2 and 7, manyof the steps correspond to one another and are not repeated herein forbrevity. These steps include verifying user credentials 201/701, autoprovisioning 202/702, defining server configurations 203/703,registering with multiple data obfuscators for redaction 204/704,applying various selected masking rules 205/705, runningmulti-structures embedded redactor 208/707, Java or the like TCP/IPinteractions 210/708, data sanitization 211/709, and post process reportgeneration 212/710. However, in FIG. 7, after the masking rules areapplied and the big data obfuscator is triggered, a cage handling faultdetection, isolation, and/or transferring algorithm can be implementedin step 706.

In this sample custom-speculative cage handler of step 706, thealgorithm can determine the current process to cage each executor thatcrashed during the stages in any in-memory processing framework. Thisavoids future use of the caged executors by not picking them up fromagent submission for upcoming tasks while performing obfuscation inunits. The caging of executors may be necessary based on loss of a node.In this context, agent submission refers to the applicationmaster/manager, which reattempts to submit jobs to re-compute lost tasksfrom failed nodes, although there is no guarantee whether the failednodes will be back online during the wait. The agent submission enhanceslow latency and improved performance as crashed executors are avoidedand not reused by default speculative executors, which can be includedin an in-memory processing framework.

In FIG. 8, the total number of cores in a cluster can be determined instep 802. Values can be set for the minimum and maximum executors forthe in-memory processing configuration selected in step 804. The minimumand maximum executors can be determined by the values set in theconfiguration xml in the cluster.

In step 806, the number of fat executors assigned per process can bedetermined based on the total number of cores divided by the number ofcores per executor, minus 1. In this example, fat executors could be oneexecutor per node, whereas tiny executors could be one executor percore.

In step 808, a determination is made regarding the exit status for acrashed executor address from the executor data map. If negative, theprocess repeats at step 802. Otherwise, if positive, the exist status isset in step 810. Here, the executor data map is a table-like structure,which holds all the list of spawned executors and data block addressesthat are fed into corresponding executors for processing. When there isa crash in the executor, it can fail with an error code or exit statusfrom which it can be identified promptly.

In step 812, the process enables the addition of executors on thebacklog of pending tasks. A receive offer is sent in for new executorsadded in step 814, which means that new executors are summoned for theprocess. In step 816, resource offers for newly added executors arecreated.

From a pseudo code perspective, an example cage handling process can beconsidered as follows.

-   1. Determine Total available of cores in cluster-   2. Value set for min and max executors    -   dynamicAllocation.minExecutors    -   dynamicAllocation.maxExecutors-   3. Identify number of Fat Executors assigned per process    -   No. of Fat executors=(Total cores/num-cores-per-executor)−1    -   (Leaving 1 executor for ApplicationManager)-   4. Determine Info—exitStatus for crashed executor address from the    executor data map with addressToExecutorld-   5. Crashed Executors are gracefully decommissioned with external    shuffle service shuffle.io.maxRetries & shuffle.io.retryWait-   6. Enable to add executors on backlog of pending tasks    -   dynamicAllocation.schedulerBacklogTimeout-   7. Revive offer is sent in for new executors added    -   scheduler.revive.interval-   8. Creating resource offers for newly added Executors    -   makeOffers(executorId: String): Unit

One or more aspects of the disclosure may be embodied in computer-usabledata or computer-executable software or instructions, such as in one ormore program modules, executed by one or more computers or other devicesto perform the operations described herein. Generally, program modulesinclude routines, programs, objects, components, data structures, andthe like that perform particular tasks or implement particular abstractdata types when executed by one or more processors in a computer orother data processing device. The computer-executable instructions maybe stored as computer-readable instructions on a computer-readablemedium such as a hard disk, optical disk, removable storage media,solid-state memory, RAM, and the like. The functionality of the programmodules may be combined or distributed as desired in variousembodiments. In addition, the functionality may be embodied in whole orin part in firmware or hardware equivalents, such as integratedcircuits, application-specific integrated circuits (ASICs), fieldprogrammable gate arrays (FPGA), and the like. Particular datastructures may be used to more effectively implement one or more aspectsof the disclosure, and such data structures are contemplated to bewithin the scope of computer-executable instructions and computer-usabledata described herein.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, an entirely firmware embodiment, or an embodiment combiningsoftware, hardware, and firmware aspects in any combination. Inaddition, various signals representing data or events as describedherein may be transferred between a source and a destination in the formof light or electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, or wireless transmissionmedia (e.g., air or space). In general, the one or morecomputer-readable media may be and/or include one or more non-transitorycomputer-readable media.

As described herein, the various methods and acts may be operativeacross one or more computing servers and one or more networks. Thefunctionality may be distributed in any manner or may be located in asingle computing device (e.g., a server, a client computer, and thelike). For example, in alternative embodiments, one or more of thecomputing platforms discussed above may be combined into a singlecomputing platform, and the various functions of each computing platformmay be performed by the single computing platform. In such arrangements,any and/or all of the above-discussed communications between computingplatforms may correspond to data being accessed, moved, modified,updated, and/or otherwise used by the single computing platform.Additionally, or alternatively, one or more of the computing platformsdiscussed above may be implemented in one or more virtual machines thatare provided by one or more physical computing devices. In sucharrangements, the various functions of each computing platform may beperformed by the one or more virtual machines, and any and/or all of theabove-discussed communications between computing platforms maycorrespond to data being accessed, moved, modified, updated, and/orotherwise used by the one or more virtual machines.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one or more of the steps depicted in theillustrative figures may be performed in other than the recited order,and one or more depicted steps may be optional in accordance withaspects of the disclosure.

What is claimed is:
 1. A multilevel computing platform for performingin-flight data masking and on-demand encryption of big data on a networkcomprising: a data store coupled to the network, said data storecontaining a big data dataset including sensitive information andnon-sensitive information; an upper lane platform having: a plurality ofupper processors, at least one upper communication interfacecommunicatively coupled to the plurality of upper processors and thenetwork, and an upper computer-readable memory communicatively coupledto the at least one upper communication interface, the uppercomputer-readable memory storing upper computer-executable instructionsthat, when executed by one or more of said plurality of upperprocessors, cause the upper lane platform to: authenticate a request forthe big data dataset received via the upper communication interface froma lower lane platform; auto provision a profile corresponding to therequest; assign access rights for the request based on the profile;define server configuration and data connection instructions for thedata store containing the big data dataset; securely connect the upperplatform to the data store via the upper communication interface basedon the server configuration and the data connection instructions;register at least one multiple data obfuscation type; load the big datadataset from the data store into a first upper sector in the uppercomputer-readable memory via the upper communication interface;determine a compression codec applied to the big data dataset;uncompress the big data dataset into uncompressed data blocks based onthe compression codec, said uncompressed data blocks stored in a secondupper sector in the computer-readable memory; distribute theuncompressed data blocks to said plurality of upper processors forsanitization; search the big data dataset for the sensitive informationto be redacted; redact into a sanitized dataset the sensitiveinformation in the big data dataset based on said at least one multipledata obfuscation type and the non-sensitive information; store thesanitized dataset in a third upper sector of the upper computer-readablememory; encrypt the sanitized dataset into encrypted data in a fourthupper sector in the upper computer-readable memory; transmit theencrypted data to the lower lane platform via the upper communicationinterface; and the lower lane platform having: at least one lowerprocessor, at least one lower communication interface communicativelycoupled to the at least one lower processor and the network, and a lowercomputer-readable memory communicatively coupled to the at least onelower communication interface, the lower computer-readable memorystoring lower computer-executable instructions that, when executed bysaid at least one lower processor, cause the lower lane platform to:transmit the request for the big data dataset via the lowercommunication interface to the upper platform; receive the encrypteddata via the lower communication interface from the upper platform;store the encrypted data in a first lower sector of the lowercomputer-readable memory; decrypt the encrypted data into the sanitizeddataset; and store the sanitized dataset in a second lower sector of thelower computer-readable medium.
 2. The multilevel computing platform ofclaim 1 wherein the distribution of the uncompressed data blocks to saidplurality of upper processors for sanitization is performed by anorchestration service.
 3. The multilevel computing platform of claim 2wherein the compression codec is determined by reading a plurality ofinitial bytes of a file in the big data dataset.
 4. The multilevelcomputing platform of claim 3 wherein the compression codec is Gzip,Bzip2, Snappy, or LZO.
 5. The multilevel computing platform of claim 3wherein the uncompressed data blocks are at least 128 MB.
 6. Themultilevel computing platform of claim 3 wherein the sensitiveinformation is redacted using a pre-defined mask.
 7. The multilevelcomputing platform of claim 3 wherein the sensitive information isredacted using random generation.
 8. The multilevel computing platformof claim 3 wherein the sensitive information is redacted using regularexpression obfuscation.
 9. The multilevel computing platform of claim 3wherein the regular expression obfuscation is used to capture patternvalues and replace the pattern values with a replacing value format. 10.The multilevel computing platform of claim 3 wherein the encryption isperformed using data lake encryption.
 11. The multilevel computingplatform of claim 3 wherein the encryption is performed using a Base 64algorithm.
 12. The multilevel computing platform of claim 3 wherein theencryption is performed using a text-to-binary scheme.
 13. Themultilevel computing platform of claim 3 wherein the uppercomputer-readable memory also stores report computer-executableinstructions that, when executed by one or more said plurality of upperprocessors, cause the upper lane platform to generate a post processreport.
 14. The multilevel computing platform of claim 13 wherein thepost process performance report is an obfuscation summary report. 15.The computing platform of claim 13 wherein the post process performancereport is a data forensics summary report.
 16. The computing platform ofclaim 13 wherein the post process performance report is a dataprocessing summary report.
 17. The multilevel computing platform ofclaim 3 wherein the upper computer-readable memory also stores rebatecomputer-executable instructions that, when executed by one or more saidplurality of upper processors, cause the upper lane platform to:diagnosing Random Access Memory (RAM) requirements and a current RAMallocation for the upper platform; and rebating a portion of the currentRAM allocation that exceeds the RAM requirements for the upper platform.18. The multilevel computing platform of claim 3 wherein the uppercomputer-readable memory also stores fault handling computer-executableinstructions that, when executed by one or more said plurality of upperprocessors, cause the upper lane platform to: detect a crashed executorfor a task; remove the crashed executor from a list of availableexecutors; and reassign an uncompleted portion of the task to anotherexecutor in the list of available executors.
 19. A non-transitorycomputer-readable medium with computer-executable instructions storedthereon executed by a plurality of processors on an obfuscation computermachine to perform in-flight data masking and on-demand encryption of abig data dataset stored in a data store on a network, said big datadataset including sensitive information and non-sensitive information,said obfuscation computer machine communicatively coupled to thenetwork, comprising: authentication instructions to authenticate arequest for the big data dataset based on credentials received from asource; auto provision instructions to identify a profile correspondingto the request, said profile stored in a first sector of thecomputer-readable medium; access instructions to assign access rightsfor the request based on the profile, said access rights stored in asecond sector of the computer-readable medium; server configuration anddata connection instructions to define connection properties for thedata store containing the big data dataset, said server configurationand said data connection properties stored in a third sector of thecomputer-readable medium; secure connection instructions to establish asecure connection from the obfuscation computer machine to the datastore based on the server connection and the data connection properties;registration instructions to register at least one multiple dataobfuscation type stored in a fourth sector of the computer-readablemedium; load instructions to load the big data dataset from the datastore on the network into a fifth sector of the computer-readablemedium; codec instructions to determine a compression codec applied tothe big data dataset; uncompress instructions to uncompress the big datadataset into uncompressed data blocks based on the compression codec,said uncompressed data blocks stored in a sixth sector in thecomputer-readable memory; distribution instructions to distribute theuncompressed data blocks to said plurality of processors forsanitization; search instructions to search the big data dataset for thesensitive information to be redacted; redaction instructions to redactinto a sanitized dataset the sensitive information in the big datadataset based on said at least one multiple data obfuscation type andthe non-sensitive information; storage instructions to store thesanitized dataset into a seventh sector of the computer-readable medium;encryption instructions to encrypt the sanitized dataset into encrypteddata, said encrypted data stored in an eighth sector of thecomputer-readable medium; and transmission instructions to transmit theencrypted data in response to the request.
 20. A computer-implementedmethod of in-flight data masking and on-demand encryption of big data ona network comprising the steps of: authenticating, by an obfuscationcomputer machine, a request for a big data dataset based on credentialsreceived from a source, said obfuscation computer machine coupled to thenetwork, said obfuscation computer machine having a plurality ofprocessors, said obfuscation computer machine containingcomputer-readable memory, said request stored in a first sector of thecomputer-readable memory; said big data dataset stored in a data storecoupled to the network, said big data dataset including sensitiveinformation and non-sensitive information; auto provisioning, by theobfuscation computer machine, a profile corresponding to the request,said profile stored in a second sector of the computer-readable memory;assigning, by the obfuscation computer machine, access rights for therequest based on the profile, said access rights stored in a thirdsector of the computer-readable memory; defining, by the obfuscationcomputer machine, server configuration and data connection propertiesfor the data store containing the big data dataset, said serverconfiguration and said data connection properties stored in a fourthsector of computer-readable memory; establishing, by the obfuscationcomputer machine, a secure connection from the obfuscation computermachine to the data store based on the server connection and the dataconnection properties; registering, by the obfuscation computer machine,at least one multiple data obfuscation type stored in a fifth sector ofcomputer-readable memory; loading, by the obfuscation computer machineinto a sixth sector of computer-readable memory, the big data datasetfrom the data store on the network; detecting, by the obfuscationcomputer machine, a compression codec for the big data dataset;uncompressing, by the obfuscation computer machine, the big data datasetinto uncompressed data blocks based on the compression codec, saiduncompressed data blocks stored in a seventh sector in thecomputer-readable memory; distributing, by the obfuscation computermachine, the uncompressed data blocks to said plurality of processorsfor sanitization; searching, by the obfuscation computer machine, thebig data dataset for the sensitive information to be redacted; redactinginto a sanitized dataset, by the obfuscation computer machine, thesensitive information in the big data dataset based on said at least onemultiple data obfuscation type and the non-sensitive information;storing, by the obfuscation computer machine into an eighth sector ofcomputer-readable memory, the sanitized dataset; encrypting, by theobfuscation computer machine, the sanitized dataset into encrypted data,said encrypted data stored in a ninth sector of computer-readablememory; and transmitting, by the obfuscation computer machine, theencrypted data in response to the request.